Researchers at SEC Consult have discovered a couple of issues that can be exploited to access VPN authentication credentials associated with the product.

One of the problems is related to the fact that the VPN credentials are stored in a configuration file (on Linux and macOS) and in the registry (on Windows) – locations that are easily accessible.

The second issue is that while the credentials are stored in an encrypted form, the decryption key is hardcoded in the application and it’s the same across all installations. An attacker can easily find the encrypted passwords and decrypt them using the hardcoded key.

“The vulnerabilities are mostly problematic in an enterprise environment where the VPN is often authenticated against domain accounts,” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek. “(Internal) attackers with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account (e.g. read emails, etc).”

SEC Consult has created a proof-of-concept (PoC) tool that exploits the vulnerability to recover passwords, but it will only be made public after users have had a chance to update their FortiClient installations.

The security hole is tracked as CVE-2017-14184, and SEC Consult has classified it as having high severity, while Fortinet has assigned it a 4/5 risk rating.

The vulnerability affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux – the Android and iOS apps are not impacted. Patches are included in FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, which the vendor released alongside FortiOS 5.4.7.

Fortinet was informed about the security hole in mid-September and the patches were released a few weeks ago.
To read the original article: